Naavi.org

CIO Prime has featured Naavi as the most influential visionary leaders of the year. Reflecting on the past in the light of this article I recall

1) First book on Cyber Laws in India in 1999 before the law was passed.

2). Creation of www.naavi.org (initially as naavi.com) as a Cyber Law Portal

3) Introduction of first Virtual education through Cyber Law College

4) Introduction of Cyber Law Courses in KLE Law College, SDM Law College, JSS Law College, BMS Law College, St joseph Law College as well as NLSUI, NALSAR

5) Introduction of Cyber Law for Engineers at PESIT, Bangalore

6) Handling the Cyber Evidence Archival Center and presentation of India’s first Section 65B certificate in the case of State of Tamil nadu Vs Suhas Katti

7) Handling of S. Umashankar Vs ICICI Bank case through adjudication, Cyber Appellate Tribunal, TDSAT and Madras High  Court through 14 years of litigation.

8) Formation of FDPPI

9) Creation of Certificate programs for Data Protection Professionals in 2019

10) Book on “Guardians of Privacy..”

11) Introduction of course on Data Protection at NALSAR

12) Introduction of Data Protection to management students in IIM Udaipur

13) Concept of Naavi’s Theory of Data

14) Introduction of DGPSI (Data Governance and Protection Standard of India)  as a framework for compliance of DPDPA

15) Concept of Data Valuation Standard of India

16) Introduction of DGPSI-AI as a framework for AI regulation

17) Introduction of DGPSI-GDPR taking the Made in India framework to the global scene

18) Introduction of DGPSI-DP to push for voluntary DPDPA Compliance by Data Processors

19) Receipt of the Dena Bank award of public excellence

20) Receipt of the Life time achievement award for Cyber Jurisprudence

21) Receipt of the life time achievement award for Privacy.

There would be many more achievements that could have been missed in the  above list.

Nothing gives me more satisfaction than creating DGPSI as a framework for Compliance which is blossoming into multiple dimensions such as DGPSI-AI, DGPSI-HR,DGPSI-DP, DGPSI-GDPR etc.

Hope the list expands further in the days to come.

There are two projects CEAC Drop Box and Online Dispute Resolution (ODR Global) which still hold huge promises yet to be realized.  Hope these dreams come true in the coming year along with a major initiative in DPDPA which should be unveiled shortly.

Reminded of the words of Nehru duing our independence ..”Miles to go before I sleep, Miles to go before I sleep”..

Naavi

The recent challenge mounted on DPDPA 2023 in the Supreme Court by a few PIL advocates relies heavily on the argument that Section 44(3) of the Act which amends Section 8(1)(j) of RTI Act 2005 fails the “proportionality test” that the need to protect “Privacy” restricts the “need to share information in public interest”.

However the petitions cumulatively pray that the entire DPDPA 2023 be scrapped and Entire DPDPA Rules 2023 be scrapped.

Where is proportionality in this prayer?

Had the petitioners come with a fair request, petitioners would have asked for a Reading down of Section 8(1)(j) of RTI Act read with Section 44(3) of DPDPA 2023.

The prayers leading to scrapping of the Act and the Rules is therefore “disproportionate” to the requirement even as suggested by the petitioners.

The fears of “Surveillance Regime” and “Blanket Ban on release of information required for public good” is a “Disproportionate Speculation” of the prediction of a catostrophe not supported by any valid reasons.

The expectation that the Parliament that had created the law under Section 8(1)(j) when there was no DPDPA 2023 should not review and revise the provision when a new law comes in is a “Disproportionate Expectation” that law makers do not have  the right to make course corrections to the law.

Hence the petitions and the prayer constitue disproportionate speculation of fear disproportionate expectation and disproportionate prayer”.

We trust that the Supreme Court first recognizes that the petitoners have not come with a clean hand and are seeking a disproportionae solution to an imaginary problem.

We shall demonstrate in the coming articles of how there can be acceptable solutions that will meet reasonable speculation and reasonable fear of misuse.

Naavi

The UIDAI has launched a new Aadhaar App which according to the Secretary of MeitY , can be used for age verification under DPDPA. Necessary amendments have been made to SWIK rules or the  Aadhaar authentication for goog governance  (Social welfare, Innovation, Knowldege) rules 2020 to enable private entities to provide service by using adhar authentication on secure basis.

This was expected and is a welcome move to resolve the difficulty of “Verifiable Consent” envisaged under DPDPA.

The new Aadhaar app is an official mobile application developed by UIDAI that enables digital, offline, and consent‑based Aadhaar verification. Unlike earlier apps, it allows users to verify their identity using Face Authentication or QR scanning without revealing their Aadhaar number. It offers features such as selective data sharing via QR codes, biometric lock/unlock, authentication history, and management of up to five family Aadhaar profiles. The app supports use cases like hotel check-ins, hospital visits, age verification, and gig worker verification

The new Aadhaar app offers several advantages over older verification methods.

• Eliminates the need for physical Aadhaar cards.
• Enhances privacy through masked and offline verification.
• Faster identity verification for daily services.
• Reduces risk of Aadhaar data misuse.
• Works even in low or no‑internet environments.
• Government‑backed and officially launched by UIDAI.
• Several personal information updates can be completed using the app without visiting an Aadhar kendra.

Naavi

Reference:

The Hindu

About the new App at cleartax

Whenever an electronic document is to be presented as evidence in a Cour of law, the ITA 2000 expected a certificate to be produced about the reliability of the document for admission purpose. Earlier it was through Section 65B of Indian Evidence Act.

Naavi was the first person in India to produce such a certificate in a court case starting with the Stte of Tamilnadu vs Suhaskatti case in 2004. Since then more than 125 such certificates have been produced by Naavi in different courts.  While Naavi has stopped providing such certificates now due to the inability to attend court hearings to verify the certificates, there are other associates who have been developed for the purpose in Bangalore.

After the replacement of Indian Evidence Act with  Bharatiya Sakshi Adhiniyam (BSA), the new section related to certification is Secion 63.

The MHA made some changes in the Section 65B certification requirements in the process.

Now a PIL has been filed in Chennai by Sri S.Balu, former Additional SP, on behalf of Cyber Society of India. Mr Balu who was in charge of the Chennai Cyber Crime Police Station and has worked on many Cyber Crime cases along with Naavi. The petition has been filed at the Madras High Court as a writ petition WP/0047513/2025 in the Court of Honourable Chief Justice  G.Arul Murugan. It will be taken up along with WP37423,27426,27880/2024 on a future date. (Not announced).

The petition has prayed for amendment to Section 63(4)(c) citing impracticality of certain provisions of the Section.

The respose of the Court would be interesting and we  shall follow the developments here.

Section 63(4) of BSA is reproduced here for reference

In any proceeding where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things shall be submitted along with the electronic record at each instance where it is being submitted for admission, namely:-

(a) identifying the electronic record containing the statement and describing the manner in which it was produced;

(b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer or a communication device referred to in clauses (a) to (e) of sub-section (3);

(c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and

purporting to be signed by a person in charge of the computer or communication device or the management of the relevant activities (whichever is appropriate) and

an expert shall be evidence of any matter stated in the certificate; and

for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it in the certificate specified in the Schedule.

Naavi

Refer: Earlier article  Section 63 of Bharatiya Sakshya Adhiniyam

India has witnessed a continued battle on introduction of Privacy laws since 2 decades. Every time the Government makes an  attempt whether in 2006 when the Personal Data Protection Bill 2006 was introduced in the Parliamemnt by the then Government of which Mr Kapil Sibal was a part to the period of  2017 to 2023 when Supreme Court through the Putaswamy Government pushed the need for a law, there has been opposition for the law on one ground or the other.

Now after a long delay, Government of the day has taken steps to announce the time line of implementation. The law was enacted on 11th August 2023 but the implementation is happenning only on 13th May 2027 nearly 4 years later.

From 2023 to till date activists had the freedom to assist the Government to make appropriate challenges provided they were willing to have some flexibility to understand that “Privacy Cannot be allowed to be a tool of Criminals to hide”. They however waited till the date of implementation was frozen and have now gone to the Supreme Court.

On the face of it, the petitions of Reporter’s Collective, Mr Venkatesh Nayak and NCPRI are focussed on the dilution of the RTI Act but the petitions are not limited to the controversy on Section 44(3). The prayer extends to scrapping of DPDPA and the rules.

The grounds apart from the RTI Act is  “Unfettered powers to the Government on surveillance”, “DPB susceptible to  Executive Control” , “Vagueness,overboard  and arbitrary”, “Disproportionate to the needs”, “Enabling unreasonable digital searches” , “Lack of balance between protection of Privacy Rights and Right to Information” etc.

One of the petitions specifically asks for striking down of Sections 5, 6, 8, 10, 17, 18, 19, 36, and 44(3), alongside Rules 3, 6, 7, 8, 9, 13, 16, 17, and 23 of the 2025 Rules.

In the past we have seen that the Government of India has not adequately defended the rights of citizens in the Supreme Court against the powerful advocates such as Mr Kapil Sibal, Prashant Bhushan and Vrinda Grover. These are firebrand advocates who are considered capable of swaying the views of the Court through their commendable skills of articultion.

FDPPI is committed to ensuring that DPDPA is implemented without further delay. While we do support many changes in the rules to enable “Compliance without Pain” and “Penlty without Grudge”, the objective of “DPDPA implementation at the earliest” remains in the forefront.

We shall therefore give a series of informative articles here which explains each of the DPDPA Clauses on which some objection has been raised.

We may also have to take a look at Subash Chandra case or Ankit Garg case or Girish Ramachandra Deshpande case which have been cited along with the Puttaswamy case to defend the petitions.

We believe that the Rules are flexible and can be tweaked if necessary. Supreme Court also has the power to read down any of the provisions of the law. A Combination of “Reading down” and “Tweaking of the Rules” can together satisfy the petitioners without the need for scrapping the law.

We hope the information provided here would help the other professionals to understand and follow the case more effectively. (The next hearing is on March 23)

Follow us and contribute your thoughts…

Naavi

On 25th May 2016, GDPR became a law. It provided a window of 2 years for implementaion and hence the law became effective from 25th May 2018. We now have the experience of 8 years of implementation and hundreds of cases where penalties were imposed. According to the enforcementtracker.com, 2775 complaints have been recorded and a total fine of of 6.8 billion Euros have been imposed. We are not awaare of how much has been actually collected and the state of litigations. Now about 30-40 fines are being imposed each month. (refer tracker report 2025).

The highest fine imposed  was EUR 1.2 billion on Meta Platforms. Some of the other countries have mocked the astronomical fines imposed by GDPR authorities in various countries. These fines have remained under dispute and we need to wait a long time before they become a reality. Since EU had a data protection directive even before GDPR, there were trials based on the earlier directive undertaken after 25th May 2018.

Many countries who followed EU with their own laws also adopted measures to impose their own fines and a global cost of data management was imposed on the industry. Out of these UK has imposed fines of about 15 million  pounds. Cumulative data of other countries is not easily available.

The practice of imposing fines on global turnover basis and on foreign entities, created a fear and urgency for compliance but has not endeared GDPR to the organizaions.

Organizations incurred high costs of compliance particualrly during the period 2018-2020 and have been maintaining substantial expenses since then.  During 2016-2018 according to one survey, the investment for compliance was around $7.8 billion and since then there is annual expenditure of around $10 million each year by about 40% of organizations while around 88% spend less than $1 million. In 2025, the global market for GDPR tools was estimated to be around $3.7 billion. A conservative estimate on a global level indicatesmore than $20 billion invested in compliance.

In India it is estimated that the industry would spend around Rs 10000 crores in the next 3 years on compliance.

 The transparency brought about by GDPR is good for the public but there is still problems of cosnent fatigue and the realization that this cost can finally only be borne by the consumers in the long run since large data processors have continued to prosper.

The smaller entities in the industry (Despite exemptions provided under GDPR)  have however borne the brunt of the problems arising out of increased compliance burden.

India now has an opportunity to learn from these developments and ensure that SMEs and MSMEs are not unduly harassed as if this is a new tax regime. The responsibility for this falls squarely on the Data Protection Board and the MeitY.

While many other organizations will look at the so called “Rs 10000 crore Market” and how they can exploit it, FDPPI is concerned about

a) How to increase awareness of compliance particualrly at the industry level

b) How to ensure that the penalty system remains fair

c) How to ensure that the rules of compliance are  practical

We have miles to go before we sleep…to achieve “Compliance without Pain and Penalty without a grudge”.

Naavi